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REMARKS 

Amendments 

Applicants have amended their independent claims 1, 10, and 16 to include language stating 
that: (1) a message segment "comprises a packet in a packet-switched network"; (2) 
substructures are extracted by parsing a token stream "according to a grammar"; (3) the rules 
associated with tokens "define actions for intrusion detection and prevention"; and (4) the meta 
session is made persistent across message transactions "by storing data generated by the meta 
session on a persistent storage medium". Additionally, Applicants have amended claim 1 to 
explicitly state that the operations described in claim 1 are performed "with an integrated 
circuit". And Applicants have made a clerical amendment to claim 12. 

The first item finds support in the specification at paragraph 93 ("As described herein, a 
message may be transmitted in segments, e.g., packets, between server 174 and client 210."), 
among other places. The second item finds support in the specification at paragraph 77 ("The 
message segment is then transmitted to grammar based parsing engine 186 which includes 
tokenizer 294 and parser 296. Tokenizer 294 converts the message into a token stream, such as 
the token stream with reference to Figure 7. Parser 296 identifies non-terminals and valid strings 
and creates a parse tree."), among other places. The third item finds support in the specification 
at paragraph 83 ("For example, if the message contains a suspect .exe file or practical extraction 
and reporting language (Perl) script, the action may be to drop the message or quarantine the 
message and send an alert message to the server, through Queue block 192."), among other 
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places. The fourth item finds support in Figure 22C (e.g., Disk 642), among other places. 
Following entry of these amendments, twenty claims (claim 17 was previously canceled without 
prejudice) and three independent claims will remain pending in the application. 

Rejections based on Obviousness 

The Examiner has rejected claims 1-2, 4-13, and 15-21 under 35 U.S.C 103(a), as being 
obvious over U.S. Patent No. 7,069,207 to Corston-Oliver et al. (hereafter "Corston-Oliver"), in 
view of Speech Recognition Grammar Specification Version 7.0, W3C Candidate 
Recommendation 26 June 2002 (hereafter "W3C") and U.S. Patent No. 6,292,827 to Raz 
(hereafter "Raz"). When an obviousness rejection is made on the basis of an alleged combination 
of prior art elements according to known methods to yield predictable results, an examiner must 
find that the prior art included each element claimed, although not necessarily in a single prior 
art reference, with the only difference between the claimed invention and the prior art being the 
lack of actual combination of the elements in a single prior art reference. See MPEP 2143. 1 Since 
such a finding is not possible as to any of the rejected claims, as amended, Applicants 
respectfully traverse these rejections. 

In particular, prior to amendment, all of three of the Applicants' independent claims included 
language that the Applicants' semantic processing engine "parses" tokens to extract 
substructures. As noted above, the amendments add further language here stating that the parsing 
of the token stream is "according to a grammar". To meet the original language, the Examiner 

1 The latest version of this section appears to codify the previously published Examination Guidelines for 
Determining Obviousness Under 35 U.S.C. 103 in View of the Supreme Court Decision in KSR International Co. v. 
Teleflex Inc. 
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cited Corston-Oliver column 5, lines 25-28. Suffice it to say that the word "grammar" does not 
appear anywhere in Corston-Oliver, which is not surprising since the invention there seems to 
involve some sort of automated sentence diagramming using a dictionary rather than parsing 
using a context-free grammar. In this regard, compare Corston-Oliver at column 5, lines 21-34 
with Dr. Kim Hazelwood's presentation Lexical Analysis and Syntactic Analysis 
(http://www.cs.virginia.edu/kim/courses/cs671/lectures.html ) a copy of which is attached as 
Appendix A. 

The Examiner also cited Corston-Oliver (at column 8, lines 22-67) to meet the language in 
Applicants' independent claims that the Applicants' semantic processing engine uses the tokens 
to determine rules "defining actions". The amendments add further language here stating that the 
actions are "for intrusion detection and prevention". This further language would appear to 
render Corston-Oliver irrelevant, since any actions there were concerned with the creation of 
telegraphic speech, rather than intrusion detection or prevention. In this regard, see Corston- 
Oliver at column 8, lines 22-32. 

The Examiner admits that Corston-Oliver does not teach anything about using tokens 
to associate a message segment with a meta session, as described in Applicants' 
independent claims. So to meet this claim language, the Examiner has cited section 
4.1 1.1 of W3C. However, this section of W3C applies to a grammar author, rather than to 
a grammar processor/user agent/speech recognizer (i.e., a software/hardware tool), and 
concerns meta data (e.g., the author's name) in a file which contains a grammar and is 
presumably input to a parser generator such as GNU's Bison, whose manual was 
provided in one of the Applicants' disclosure certificates. Applicants do not see how this 
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reference relates to the sessions which their semantic processing engine might use to drop 
the message packets from a suspected hacker who is being tracked with a cookie, for 
example. 

In this regard, Applicants note that they discuss the term "meta session" in their 
disclosure in considerable detail, e.g., in paragraph 79 2 and Figure 10 (a "meta session" 
maintains service context across two physical sessions). Further, Applicants believe that 
their discussion is wholly consistent with the general concept of session tracking as 
known in the art, broadly defined. See e.g., Stan Kim, Safe Session Tracking, Dr. Dobb's 
Portal (March 01, 2001), a copy of which is attached as Appendix B. 

W3C nowhere describes sessions or session tracking. In apparent recognition of this 
fact, the Examiner seems to take the position that W3C somehow inherently describes 
similar functionality in section 4.1 1.1, which ostensibly concerns the document properties 
of a document creating a formal grammar (". . .It is recommended that for general 
metadata properties that grammar authors follow the metadata properties defined in the 
Dublin Core Metadata Initiative [DC]. For example, "Creator" to identify the entity 
primarily responsible for making the content of the grammar, "Date" to indicate creation 
date, or "Source" to indicate the resource From which a grammar is derived...") 
Applicants respectfully submit that they cannot discern the Examiner's rationale for this 



2 Paragraph 79 state, in part: ". . .It should be appreciated that a meta session may be based on cookies being 
exchanged, a host name, a client name, a URL, a HTTP session ID, etc. Accordingly, authentication events 336 
associated with these bases (cookies, host name, client name, URL, HTTP session ID, etc.) may initiate a meta 
session. During meta session 334 it may be decided to associate a new authentication event from a second physical 
session 332b with a previous (old) meta session as indicated at point 338 where a service context is maintained 
between physical session 332a and 332b. Exemplary meta session end events 340, i.e., rules for ending a persistent 
connection, include HTTP_CONN_CLOSE, HTTP_RESP_GE_400, a timeout, an event triggered by rule execution 
block or action execution block, etc." 
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claim of inherency and therefore do not believe that he has met his burden of proof on 
this point, as required by MPEP 2112. 

In a similar fashion, the Examiner admits that Corston-Oliver and W3C do not teach 
anything about data from meta sessions that is persistent across message transactions and 
different HTTP sessions, as described in Applicants' independent claims. So to meet this 
claim language, the Examiner has cited Raz at column 15, lines 12-32. The cited lines are 
as follows: 

...To manage this network, Optimized Integrated System Management 
Architecture (OISMA) which has the following capabilities: a) consolidate ONE 
central console that monitors all system components; b) ability to distribute 
regional and functional specific consoles; c) problem Alerts/malfunctions of 
system B different severity alerts, different kinds of alerts (pager, fax, sound, send 
messages to sub-contractor system, etc.); d) automatic recovery actions to recover 
from problems; e) ability to takeover any station and execute commands from 
distance; f) help desk tools to report, track and analyze problems on system; g) 
transaction management B tracks and manages the flow of system transactions, h) 
usage patterns and statistics; I ) network inventory autodetect and control B plug- 
and-play installation of components will be automatically recorded to inventory; 
j) hardware/Software version and configuration control; k) preventive 
Maintenance Management and 1) Central backup. 

Again, Applicants do not see how the quoted language, even when read expansively, 
describes data from meta sessions that is persistent across message transactions and 
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different HTTP sessions. Applicants' argument on this point applies a fortiori to the 
Examiner's rejection of claims 2, 11, and 18, which include language describing state 
information for a meta session as "invariant across different connections and a service 
context common to the different connections associates the different HTTP sessions of a 
user". Finally, as noted above, Applicants have amended their independent claims to add 
further language stating that the data from meta sessions is made persistent "by storing 
the data generated by the meta session on a persistent storage medium". 

At this juncture, several of the Examiner's rejections of dependent claims merit 
comment. As noted earlier, Corston-Oliver does not contain the word "grammar" and 
describes a dictionary-based system for creating telegraphic speech. So it is difficult to 
see how Corston-Oliver could teach defining an object-oriented scheme to associate a 
message segment with a rule where the scheme is enabled through "grammar based 
access", as described in claim 6. 

Similarly, Corston-Oliver does not contain the word "packet", so it is difficult to see 
how Corston-Oliver could teach evaluating the content of a message "composed of 
multiple segments", as described in claim 8. This is particularly true now that Applicant's 
have added language to claim 1 stating that a message segment comprises "a packet in a 
packet-switched network". 

Additionally, the Examiner has rejected claims 3 and 14 under 35 U.S.C. 103(a), as 
being obvious over Corston-Oliver in view of Implementation of a Content-Scanning 
Module for an Internet Firewall (Proceedings of IEEE Symposium on Field- 
Programmable Custom Computing Machines, 2003) by James Moscola, John Lockwood, 



13 



App. No. 10/753,846 

Reply to Office Action of July 2, 2008 

Ronald P. Loui, and Michael Pachos (hereafter "Moscola"), a reference submitted by 
Applicants. With respect to claim 3, the Examiner admits that Corston-Oliver does not 
teach a method for evaluating the content of a message (according to claim 1), where the 
message is quarantined if identified as suspect. With respect to claim 14, the Examiner 
seems to admit the Corston-Oliver does not teach a method for evaluating the content of a 
message which is specifically applicable to a message sent over a packet-switched 
network. So to meet this functionality which was not disclosed in Corston-Oliver, the 
Examiner points to Moscola' s abstract and introduction. 

The problem with this approach is that Moscola solely teaches the use of regular 
expressions to evaluate the content of a message sent over a network. As explained in Dr. 
Kim Hazel wood's presentation Lexical Analysis and Syntactic Analysis, regular 
expressions are used to perform lexical analysis, but not parsing, which requires a 
context-free grammar. However, the Applicants' semantic processing engine, as both 
disclosed in the specification and drawings and claimed in the amended claims, involves 
both lexical analysis with regular expressions and parsing with a grammar. In this regard, 
see paragraphs 66-67 of the specification and amended claim 1 above. Therefore, 
Moscola does not meet the functionality described in claims 3 and 14. 

Based on the foregoing, Applicants believe that none of their claims are obvious since the 
references cited by the Examiner do not teach all of the elements included in their independent 
claims, as amended. Further, Applicants believe that all of their claims are now in condition for 
allowance and request a notice of allowance with respect to them. If the Examiner has any 
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questions concerning the present response, the Examiner is requested to contact the undersigned 
at the telephone number set forth below. 

Respectfully submitted, 



Martine Penilla Gencarella, LLP 
710 Lakeway Drive, Suite 200 
Sunnyvale, California 94085 
Tel: (408)774-6921 
Customer Number 25920 



MARTINE PENILLA & GENCARELLA, LLP 



David Pitinga ^ 
Reg. No. 58690 
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